请帮助理解我为什么收到
<块引用>错误:您必须登录到服务器(未经授权)
我创建了一个空的 EKS 主机并手动创建了内部角色:
eksctl create iamidentitymapping \
--cluster eks-cluster \
--arn arn:aws:iam::account_number:role/eks_test_full_role \
--username admin \
--group system:masters
它正在工作
eksctl get iamidentitymapping --cluster eks-cluster
ARN USERNAME GROUPS
arn:aws:iam::account_number:role/eks_test_full_role admin system:masters
arn:aws:iam::account_number:role/eks-cluster-eks-workers-iam-role system:node:{{EC2PrivateDNSName}} system:bootstrappers,system:nodes
在我创建了 IAM 用户之后,该用户可以担任具有所有必需权限的创建角色
aws sts assume-role --role-arn arn:aws:iam::account_number:role/eks_test_full_role --role-session-name test
{
"Credentials": {
"AccessKeyId": "",
"SecretAccessKey": "",
"SessionToken": "",
"Expiration": "2021-02-04T10:24:59Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "Role_id:test",
"Arn": "arn:aws:sts::account_number:assumed-role/eks_test_full_role/test"
}
}
我错过了哪一步让它起作用?
附言我的角色和角色绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: dev
name: get-pods
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: get-pods-bind
namespace: dev
subjects:
- kind: User
name: admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: get-pods
apiGroup: rbac.authorization.k8s.io
答案 0 :(得分:0)
您需要编辑 aws-auth 配置映射并允许此不同的 IAM 用户访问集群。类似于以下内容:
1. kubectl edit cm aws-auth -n kube-system
mapusers 已经存在,那么只需在下一行添加一个以 - 开头的新条目:mapUsers: |
- userarn: arn:aws:iam::<account-id>:user/<name of IAM user>
username: <name of IAM user>
groups:
- system:masters